Access control is the first Technical Safeguard Standard of the HIPAA Security Rules. It is described in HIPAA compliance as the responsibility for all healthcare providers to allow access only to those users (or software programs) that have been granted access rights.
So no matter how much healthcare organisations spend on protecting their network perimeter, the investment can be completely undone by lax internal user security. Here we outline what organizations can do to improve HIPAA compliance around access control and keep patient data safe.
User Access Security is crucial to keeping patient data safe
User access to data can often be a matter of life and death; doctors need to be able to pull up a patient’s record at a moment’s notice to be able to make an informed decision. But organisations need to strike a balance between making data immediately accessible to the right people, while restricting access for others who do not need it to conduct their job.
Getting these access restrictions and controls right is crucial — especially in a sector that’s facing more and more scrutiny on HIPAA compliance.
HIPAA Access Control today – Some shocking truths for the healthcare industry
Our recent research into the healthcare industry and HIPAA compliance found the lack of unique logins, manual logoffs and use of concurrent logins is putting patient data at risk.
Users are of course human, they are flawed and will always act outside the boundaries of policy (and sometimes common sense). They are careless and often exploited. But rather than blaming their users, organizations should better protect their employees’ network access and better verify identities.
Technology can fill the gaps to minimise these risks and decrease the surface area vulnerable to attack. Healthcare organizations must ensure that all network access is via a login that is unique to the employee, not shared, and all actions thereafter are attributable to the specific individual.
By doing so, this helps both safeguard sensitive patient data and satisfy HIPAA compliance.
UserLock helps address HIPAA Access Control
So what can organizations can do to improve HIPAA compliance around access control and keep patient data safe?
The following is a set of basic security practices that will not only help to safeguard sensitive patient data, but also to satisfy HIPAA compliance.
For any organizations with a Windows Active Directory Infrastructure, UserLock can easily apply these non-intrusive, contextual access controls on all users to stop unwanted access and reduce the risk of compliance and security issues.
1. Do you give all users unique login credentials?
UserLock ensures that nobody can log on to the system without uniquely identifiable credentials.
2. Do you restrict users from sharing logins?
UserLock prevents concurrent logins with the same set of user credentials — helping to eradicate dangerous password sharing practices.
3. Can you attribute actions on the network to individual users?
UserLock helps administrators verify all users’ identity at any time, making users accountable for any activity — malicious or otherwise.
4. Do you restrict network access on a job-role basis – by location and time restrictions?
UserLock enables the administrator to set granular access rights to different types of employees to ensure that they can only access the information they need to do their job.
5. Do you review network access for employees who change roles in the organisation?
UserLock enables administrators to easily change access rights (permanently or temporarily) for individual users, groups of users, or organisational units.
6. Do you enforce the secure use of passwords and verify a person is the one claimed?
UserLock strengthens unique network login credentials with context-aware access restrictions and user reminders, which help verify that a person seeking access to the network and the information within is genuinely who they say they are.
7. Do you monitor and alert on access to the network?
UserLock monitors all logon and logoff activity in real time to ensure that the only people who can access vital data are the people who need to. UserLock alerts administrators to any suspicious, disruptive or unusual logins based on time, location and device.